pony | 8bb96b66c673841d4a513bb85a94ee3ded5bd30689173e5be16ed69c30766a00

Analysis

max time kernel
59s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
04-07-2024 23:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26b78358c63710aeb562fb47644e230e_JaffaCakes118.exe
Size

821KB
MD5

26b78358c63710aeb562fb47644e230e
SHA1

a8a8734c0500e270c363a7df2bd82e70ff840495
SHA256

8bb96b66c673841d4a513bb85a94ee3ded5bd30689173e5be16ed69c30766a00
SHA512

30a4f2034492141cc341ebde56ae1d28cfdd5152275db7f7078e4338b09e0ba4cdeb5eb343cb2d73c0ef9600e50e3252ed9fdb0314ba2d5270d21479b9e5f5bb
SSDEEP

12288:9xzvtHKFjnkAqqCy/0GgjV4U3T+q7HpqWyTw424jDjNyCRSE7Y1niMjaR056mcfg:9xzlqFbLq5ogjzTxLmf24j9ymBkia2Y

Score

10^/10

pony discovery evasion persistence rat spyware stealer upx

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Windows Service
T1543.003

Processes:

3R2R.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "3" 3R2R.exe
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "3"	3R2R.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 9 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables taskbar notifications via registry modification
evasion

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

26b78358c63710aeb562fb47644e230e_JaffaCakes118.exe2 Gansta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Control Panel\International\Geo\Nation	26b78358c63710aeb562fb47644e230e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Control Panel\International\Geo\Nation	2 Gansta.exe

Executes dropped EXE 7 IoCs

Processes:

Susan Beth Pfeffer - Last Survivors 02 - The Dead And The Gone.exeic5.exe2 Gansta.exe3R2R.exe3R2R.exe3R2R.exe3F37.tmp

pid process

4632 Susan Beth Pfeffer - Last Survivors 02 - The Dead And The Gone.exe
3720 ic5.exe
4524 2 Gansta.exe
3324 3R2R.exe
2912 3R2R.exe
2104 3R2R.exe
4344 3F37.tmp
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\nszC381.tmp\2 Gansta.exe	upx
behavioral2/memory/4524-35-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/memory/2912-53-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/3324-54-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/2104-120-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/3324-122-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/3324-354-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/3324-1435-0x0000000000400000-0x000000000046B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

3R2R.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\5E5.exe = "C:\\Program Files (x86)\\LP\\9018\\5E5.exe" 3R2R.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\5E5.exe = "C:\\Program Files (x86)\\LP\\9018\\5E5.exe"	3R2R.exe

Enumerates connected drives 3 TTPs 18 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ic5.exe

description pid process target process

PID 3720 set thread context of 3936 3720 ic5.exe cmd.exe

description	pid	process	target process
PID 3720 set thread context of 3936	3720	ic5.exe	cmd.exe

Drops file in Program Files directory 3 IoCs

Processes:

3R2R.exe

description	ioc	process
File created	C:\Program Files (x86)\LP\9018\5E5.exe	3R2R.exe
File opened for modification	C:\Program Files (x86)\LP\9018\5E5.exe	3R2R.exe
File opened for modification	C:\Program Files (x86)\LP\9018\3F37.tmp	3R2R.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

Processes:

SearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeSearchApp.exeSearchApp.exeexplorer.exeexplorer.exeSearchApp.exeSearchApp.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exeSearchApp.exeStartMenuExperienceHost.exeexplorer.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-771719357-2485960699-3367710044-1000\{82DBEA2C-77C6-4430-ACCB-A0BAF067E031}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

3R2R.exe

pid	process
3324	3R2R.exe
3324	3R2R.exe
3324	3R2R.exe
3324	3R2R.exe
3324	3R2R.exe
3324	3R2R.exe
3324	3R2R.exe
3324	3R2R.exe
3324	3R2R.exe
3324	3R2R.exe
3324	3R2R.exe
3324	3R2R.exe
3324	3R2R.exe
3324	3R2R.exe
3324	3R2R.exe
3324	3R2R.exe
3324	3R2R.exe
3324	3R2R.exe
3324	3R2R.exe
3324	3R2R.exe
3324	3R2R.exe
3324	3R2R.exe
3324	3R2R.exe
3324	3R2R.exe
3324	3R2R.exe
3324	3R2R.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

ic5.exemsiexec.exe2 Gansta.exeexplorer.exeexplorer.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	3720	ic5.exe
Token: SeSecurityPrivilege	3680	msiexec.exe
Token: SeIncBasePriorityPrivilege	4524	2 Gansta.exe
Token: SeShutdownPrivilege	2880	explorer.exe
Token: SeCreatePagefilePrivilege	2880	explorer.exe
Token: SeShutdownPrivilege	2880	explorer.exe
Token: SeCreatePagefilePrivilege	2880	explorer.exe
Token: SeShutdownPrivilege	2880	explorer.exe
Token: SeCreatePagefilePrivilege	2880	explorer.exe
Token: SeShutdownPrivilege	2880	explorer.exe
Token: SeCreatePagefilePrivilege	2880	explorer.exe
Token: SeShutdownPrivilege	2880	explorer.exe
Token: SeCreatePagefilePrivilege	2880	explorer.exe
Token: SeShutdownPrivilege	2880	explorer.exe
Token: SeCreatePagefilePrivilege	2880	explorer.exe
Token: SeShutdownPrivilege	2880	explorer.exe
Token: SeCreatePagefilePrivilege	2880	explorer.exe
Token: SeShutdownPrivilege	2880	explorer.exe
Token: SeCreatePagefilePrivilege	2880	explorer.exe
Token: SeShutdownPrivilege	2880	explorer.exe
Token: SeCreatePagefilePrivilege	2880	explorer.exe
Token: SeShutdownPrivilege	2880	explorer.exe
Token: SeCreatePagefilePrivilege	2880	explorer.exe
Token: SeShutdownPrivilege	2460	explorer.exe
Token: SeCreatePagefilePrivilege	2460	explorer.exe
Token: SeShutdownPrivilege	2460	explorer.exe
Token: SeCreatePagefilePrivilege	2460	explorer.exe
Token: SeShutdownPrivilege	2460	explorer.exe
Token: SeCreatePagefilePrivilege	2460	explorer.exe
Token: SeShutdownPrivilege	2460	explorer.exe
Token: SeCreatePagefilePrivilege	2460	explorer.exe
Token: SeShutdownPrivilege	2460	explorer.exe
Token: SeCreatePagefilePrivilege	2460	explorer.exe
Token: SeShutdownPrivilege	2460	explorer.exe
Token: SeCreatePagefilePrivilege	2460	explorer.exe
Token: SeShutdownPrivilege	2460	explorer.exe
Token: SeCreatePagefilePrivilege	2460	explorer.exe
Token: SeShutdownPrivilege	2460	explorer.exe
Token: SeCreatePagefilePrivilege	2460	explorer.exe
Token: SeShutdownPrivilege	2460	explorer.exe
Token: SeCreatePagefilePrivilege	2460	explorer.exe
Token: SeShutdownPrivilege	664	explorer.exe
Token: SeCreatePagefilePrivilege	664	explorer.exe
Token: SeShutdownPrivilege	664	explorer.exe
Token: SeCreatePagefilePrivilege	664	explorer.exe
Token: SeShutdownPrivilege	664	explorer.exe
Token: SeCreatePagefilePrivilege	664	explorer.exe
Token: SeShutdownPrivilege	664	explorer.exe
Token: SeCreatePagefilePrivilege	664	explorer.exe
Token: SeShutdownPrivilege	664	explorer.exe
Token: SeCreatePagefilePrivilege	664	explorer.exe
Token: SeShutdownPrivilege	664	explorer.exe
Token: SeCreatePagefilePrivilege	664	explorer.exe
Token: SeShutdownPrivilege	664	explorer.exe
Token: SeCreatePagefilePrivilege	664	explorer.exe
Token: SeShutdownPrivilege	664	explorer.exe
Token: SeCreatePagefilePrivilege	664	explorer.exe
Token: SeShutdownPrivilege	664	explorer.exe
Token: SeCreatePagefilePrivilege	664	explorer.exe
Token: SeShutdownPrivilege	664	explorer.exe
Token: SeCreatePagefilePrivilege	664	explorer.exe
Token: SeShutdownPrivilege	664	explorer.exe
Token: SeCreatePagefilePrivilege	664	explorer.exe
Token: SeShutdownPrivilege	664	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exe

pid	process
2880	explorer.exe
2880	explorer.exe
2880	explorer.exe
2880	explorer.exe
2880	explorer.exe
2880	explorer.exe
2880	explorer.exe
2880	explorer.exe
2880	explorer.exe
2880	explorer.exe
2880	explorer.exe
2880	explorer.exe
2880	explorer.exe
2880	explorer.exe
2880	explorer.exe
2880	explorer.exe
2460	explorer.exe
2460	explorer.exe
2460	explorer.exe
2460	explorer.exe
2460	explorer.exe
2460	explorer.exe
2460	explorer.exe
2460	explorer.exe
2460	explorer.exe
2460	explorer.exe
2460	explorer.exe
2460	explorer.exe
2460	explorer.exe
2460	explorer.exe
2460	explorer.exe
2460	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
2880	explorer.exe
2880	explorer.exe
2880	explorer.exe
2880	explorer.exe
2880	explorer.exe
2880	explorer.exe
2880	explorer.exe
2880	explorer.exe
2880	explorer.exe
2880	explorer.exe
2880	explorer.exe
2460	explorer.exe
2460	explorer.exe
2460	explorer.exe
2460	explorer.exe
2460	explorer.exe
2460	explorer.exe
2460	explorer.exe
2460	explorer.exe
2460	explorer.exe
2460	explorer.exe
2460	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
1712	explorer.exe
1712	explorer.exe
1712	explorer.exe
1712	explorer.exe
1712	explorer.exe
1712	explorer.exe
1712	explorer.exe
1712	explorer.exe
1712	explorer.exe
1712	explorer.exe
1712	explorer.exe
1712	explorer.exe
1712	explorer.exe
1712	explorer.exe
1712	explorer.exe
1712	explorer.exe
1712	explorer.exe
1712	explorer.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

Susan Beth Pfeffer - Last Survivors 02 - The Dead And The Gone.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exeSearchApp.exeStartMenuExperienceHost.exeSearchApp.exeStartMenuExperienceHost.exeSearchApp.exeStartMenuExperienceHost.exeSearchApp.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exeSearchApp.exe

pid	process
4632	Susan Beth Pfeffer - Last Survivors 02 - The Dead And The Gone.exe
4632	Susan Beth Pfeffer - Last Survivors 02 - The Dead And The Gone.exe
4560	StartMenuExperienceHost.exe
1380	StartMenuExperienceHost.exe
3776	StartMenuExperienceHost.exe
4984	SearchApp.exe
3704	StartMenuExperienceHost.exe
4144	SearchApp.exe
2984	StartMenuExperienceHost.exe
3020	SearchApp.exe
3612	StartMenuExperienceHost.exe
720	SearchApp.exe
464	StartMenuExperienceHost.exe
216	StartMenuExperienceHost.exe
1868	SearchApp.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

26b78358c63710aeb562fb47644e230e_JaffaCakes118.exe2 Gansta.exeic5.exe3R2R.exe

description	pid	process	target process
PID 1880 wrote to memory of 4632	1880	26b78358c63710aeb562fb47644e230e_JaffaCakes118.exe	Susan Beth Pfeffer - Last Survivors 02 - The Dead And The Gone.exe
PID 1880 wrote to memory of 4632	1880	26b78358c63710aeb562fb47644e230e_JaffaCakes118.exe	Susan Beth Pfeffer - Last Survivors 02 - The Dead And The Gone.exe
PID 1880 wrote to memory of 4632	1880	26b78358c63710aeb562fb47644e230e_JaffaCakes118.exe	Susan Beth Pfeffer - Last Survivors 02 - The Dead And The Gone.exe
PID 1880 wrote to memory of 3720	1880	26b78358c63710aeb562fb47644e230e_JaffaCakes118.exe	ic5.exe
PID 1880 wrote to memory of 3720	1880	26b78358c63710aeb562fb47644e230e_JaffaCakes118.exe	ic5.exe
PID 1880 wrote to memory of 3720	1880	26b78358c63710aeb562fb47644e230e_JaffaCakes118.exe	ic5.exe
PID 1880 wrote to memory of 4524	1880	26b78358c63710aeb562fb47644e230e_JaffaCakes118.exe	2 Gansta.exe
PID 1880 wrote to memory of 4524	1880	26b78358c63710aeb562fb47644e230e_JaffaCakes118.exe	2 Gansta.exe
PID 1880 wrote to memory of 4524	1880	26b78358c63710aeb562fb47644e230e_JaffaCakes118.exe	2 Gansta.exe
PID 1880 wrote to memory of 3324	1880	26b78358c63710aeb562fb47644e230e_JaffaCakes118.exe	3R2R.exe
PID 1880 wrote to memory of 3324	1880	26b78358c63710aeb562fb47644e230e_JaffaCakes118.exe	3R2R.exe
PID 1880 wrote to memory of 3324	1880	26b78358c63710aeb562fb47644e230e_JaffaCakes118.exe	3R2R.exe
PID 4524 wrote to memory of 2032	4524	2 Gansta.exe	cmd.exe
PID 4524 wrote to memory of 2032	4524	2 Gansta.exe	cmd.exe
PID 4524 wrote to memory of 2032	4524	2 Gansta.exe	cmd.exe
PID 3720 wrote to memory of 3936	3720	ic5.exe	cmd.exe
PID 3720 wrote to memory of 3936	3720	ic5.exe	cmd.exe
PID 3720 wrote to memory of 3936	3720	ic5.exe	cmd.exe
PID 3720 wrote to memory of 3936	3720	ic5.exe	cmd.exe
PID 3324 wrote to memory of 2912	3324	3R2R.exe	3R2R.exe
PID 3324 wrote to memory of 2912	3324	3R2R.exe	3R2R.exe
PID 3324 wrote to memory of 2912	3324	3R2R.exe	3R2R.exe
PID 3324 wrote to memory of 2104	3324	3R2R.exe	3R2R.exe
PID 3324 wrote to memory of 2104	3324	3R2R.exe	3R2R.exe
PID 3324 wrote to memory of 2104	3324	3R2R.exe	3R2R.exe
PID 3324 wrote to memory of 4344	3324	3R2R.exe	3F37.tmp
PID 3324 wrote to memory of 4344	3324	3R2R.exe	3F37.tmp
PID 3324 wrote to memory of 4344	3324	3R2R.exe	3F37.tmp

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

3R2R.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	3R2R.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	3R2R.exe

C:\Users\Admin\AppData\Local\Temp\26b78358c63710aeb562fb47644e230e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\26b78358c63710aeb562fb47644e230e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1880

C:\Users\Admin\AppData\Local\Temp\nszC381.tmp\Susan Beth Pfeffer - Last Survivors 02 - The Dead And The Gone.exe
"C:\Users\Admin\AppData\Local\Temp\nszC381.tmp\Susan Beth Pfeffer - Last Survivors 02 - The Dead And The Gone.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4632

C:\Users\Admin\AppData\Local\Temp\nszC381.tmp\ic5.exe
"C:\Users\Admin\AppData\Local\Temp\nszC381.tmp\ic5.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3720

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
PID:3936

C:\Users\Admin\AppData\Local\Temp\nszC381.tmp\2 Gansta.exe
"C:\Users\Admin\AppData\Local\Temp\nszC381.tmp\2 Gansta.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4524

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\nszC381.tmp\2GANST~1.EXE > nul
3⤵
PID:2032

C:\Users\Admin\AppData\Local\Temp\nszC381.tmp\3R2R.exe
"C:\Users\Admin\AppData\Local\Temp\nszC381.tmp\3R2R.exe"
2⤵
- Modifies security service
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3324

C:\Users\Admin\AppData\Local\Temp\nszC381.tmp\3R2R.exe
C:\Users\Admin\AppData\Local\Temp\nszC381.tmp\3R2R.exe startC:\Users\Admin\AppData\Roaming\8358A\43690.exe%C:\Users\Admin\AppData\Roaming\8358A
3⤵
- Executes dropped EXE
PID:2912

C:\Users\Admin\AppData\Local\Temp\nszC381.tmp\3R2R.exe
C:\Users\Admin\AppData\Local\Temp\nszC381.tmp\3R2R.exe startC:\Program Files (x86)\8AA11\lvvm.exe%C:\Program Files (x86)\8AA11
3⤵
- Executes dropped EXE
PID:2104

C:\Program Files (x86)\LP\9018\3F37.tmp
"C:\Program Files (x86)\LP\9018\3F37.tmp"
3⤵
- Executes dropped EXE
PID:4344

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3680

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2880

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4560

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2460

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1380

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:664

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3776

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4984

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:1712

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3704

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4144

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:904

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2984

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3020

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:4384

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3612

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:720

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:1540

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:464

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:2664

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:216

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1868

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:1176

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4592

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:736

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:964

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2292

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:428

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5076

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:448

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:712

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:836

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2712

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4364

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3512

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1264

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1808

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4460

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3908

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3524

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4016

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4948

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4516

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3360

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:832

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1008

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4324

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2272

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3596

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3592

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:704

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4860

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3440

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4328

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:736

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:860

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2264

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1172

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4236

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3752

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4128

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4716

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3080

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3696

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3876

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3920

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4216

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4688

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1032

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1284

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1008

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4528

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2184

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2052

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\LP\9018\3F37.tmp
Filesize
96KB

MD5
ba4818120b8c3c87a4437450f5968ea5

SHA1
d6e47a0c2b2bd8abef58f8d17d1883fc712e4301

SHA256
59d73ca73fa8bbec1bbcd19299ed082eb7a1f8f2c5343a498420a08f25bb8be9

SHA512
0c5e85d700f097a4dd299fc18019037bce4abcace311420bcc8011fc94ff247680112ce59fd0a1b9095aa988262c0ef5b1c903686fb864bd85e162a473599558

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres
Filesize
2KB

MD5
afaf15d2a40a450080dc28d877c7905d

SHA1
5a50f3ddb4d3a45afa45942343f732d9432b43bb

SHA256
b621faacb60fad86d4edfc99b1558343fce9540a475e43790ff06473d7375c61

SHA512
832c7f8eeaa3fb6d89cef543ff2387b995d143e7dbee6d3726bb25297044e48178ae6ad637ba073f4c815251173c2c9cae773bab71a9274922d4939e789e3efa

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133646416749214701.txt
Filesize
75KB

MD5
ddcb015e07a972b51675e3e09102f6fb

SHA1
eaf3972c5f7fdd60ba8079daf4b2e66c4840fd2b

SHA256
cb7254a884079478eb45b3b70e98495127cf68bf4a61a519b96bc89e48206413

SHA512
450b7b0daaa4ca80f1c6414db18c35292423bee15d26fc0b2ea514244264c0bef98c621d54c91338306747334f3736f1bd8eaff9c186187173c8e6d85c1f140d

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\NYEUYJCU\microsoft.windows[1].xml
Filesize
97B

MD5
f880a601483e658cfaa2e7f7a45f7e02

SHA1
95b83079bcb6351a32b1ebf2b48754d50cfa77c9

SHA256
2fa9f581ff26983eec4ad8dc44539ae88480a1530e58fa982925093b8ba41d54

SHA512
05aaf9711dc011e8c5ae0ff67169b3fdbc98d8ddb2da685075ad0043232c4e9235efd8894a93f438da0404102f367ce91f9d284e2d1203a8f45242a9f262d3c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszC381.tmp\2 Gansta.exe
Filesize
6KB

MD5
bee76c79e2e63e198038e01f0d571038

SHA1
fcffdd6bb030f516a46e9d303ebae2ab33af222e

SHA256
50a3c7134460bfe5f2840bd8dc957edfaa76da5beaaff70f8da5e0fef80ae876

SHA512
dd2e9488ad365c02722e1a2466acffb8beaf4dbb68d7093e01c50cd915418ca0642cb6bdd43f2f2b014455803f3c69dec24ca9dfee11bdf7790379181cd2f6f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszC381.tmp\3R2R.exe
Filesize
268KB

MD5
8950bca822967c72154e56665ba6f7f2

SHA1
27b8fa27459b32d3e7036a12dfa491ed08830ae7

SHA256
7bd9c2658c5bbc607001260297b4af162867658ffd5193852f06cf0129f7b2fb

SHA512
3d0dbe3eaa770fc9f94d88d6c7086cb5c7c12265f8d24751d320c53ad60bf3ebaf339d4bd70bd35c8db6edfaf803a6dda575348029e3e30f8cc3d96944d2b400

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszC381.tmp\Susan Beth Pfeffer - Last Survivors 02 - The Dead And The Gone.exe
Filesize
286KB

MD5
103ba9354c4e9d347ff6f8ce79d5ac78

SHA1
f712236f2aaf09b55a5cb0fabc4ff30211b81ba9

SHA256
96dc78faba687cc3d2487bea020eb023e8213bf93ad605d180126cfc71a65d2e

SHA512
a2d11c8d0a23f5d2e7525c6730258cb7d2fff6e2a95fb04b4937919176f95a2f437a22868d6c27fb573ca9b16a0779369eb74f8b90d752012b8608dac9b90b28

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszC381.tmp\ic5.exe
Filesize
221KB

MD5
3fda867750c14c38b0a1f79f79298825

SHA1
463fc723237fb873fd6b8dd169d5afb47e33bab2

SHA256
277c29efe466336c6de187db9f1f25ee35a7be9fdd1edf438cceb96b3bc8d9b8

SHA512
86c59af52b1874c804a2579a5c2f61dac156f7aa5c5337108d262ae974868a29305c86dab2d1ab425169e2ea97b90638f028831d58f8093955632204206a01b4

Download Submit
C:\Users\Admin\AppData\Roaming\8358A\AA11.358
Filesize
1KB

MD5
b5f6f0990b9f4e36c5fc80bedb5e3a0a

SHA1
c1d21998da1d784d40f8da185fcea6a6462dbd6f

SHA256
8653daf2cde3cdbd51c8cef3f21601ff151211c1c67a230fbde35a91b7b5dffd

SHA512
34147a2e53313d3ba413672f728d68a00c290fcf0c762c0ee8aeb898d076c47196aa4844d527e935368f3a4e3579bd56e6cab79f53f6a35010f3daf204822ab1

Download Submit
C:\Users\Admin\AppData\Roaming\8358A\AA11.358
Filesize
996B

MD5
ede0acbdcb7745cf2156cfe95cdfd87f

SHA1
98925e6fb575575dec8793584bad9386b03ba1a9

SHA256
a061899c10d62a7c9836b5de4027e6acd95d55c32abb8a1274e8dec40cdea6ad

SHA512
2fd315eef990a699f92cddf269b84138de92f184352e47b113da0042bbb8a6679b0a45c289f5c55e97656166c4566fc3461466b59a0e0719ad9bd85bc2ab6ff1

Download Submit
C:\Users\Admin\AppData\Roaming\8358A\AA11.358
Filesize
1KB

MD5
122f3d8869b463cc2fa32642264c83f7

SHA1
f48946b8df0a6b6af49327e32abfc23a4c5b1901

SHA256
ff2195d869a9b1f45a8020680f09bb141133501eeb66206db6b4eda4190c0535

SHA512
2e2f8254633263f9d39938ff46ef1e2e2e6e5799bfbe5bf1f0d9429624f8c31bcd95a7c75dfa1593e2e99d44f3808e9c06da948ab41b934eba98d9828e29331d

Download Submit
C:\Users\Admin\AppData\Roaming\8358A\AA11.358
Filesize
600B

MD5
696ff1ba3633e13c8c25f2cc0639c854

SHA1
9d8de486ff8fb40c0e429a2d2e738be7affe2cc2

SHA256
df813f83092251cbc276c51519dfa21a9293f1d7017cfe3792dafa943319b5d5

SHA512
2465d8cf1b6f239d9979bdb1660e73ab3e4a3494935a22fc3e50475b988f42ff6bfd6dd969c3324ff9f20b0a4b9316848f049f0ff311249d6dea2d51812cad23

Download Submit
memory/428-1143-0x000001BBB1000000-0x000001BBB1100000-memory.dmp

Filesize
1024KB

Download
memory/428-1155-0x000001BBB1EC0000-0x000001BBB1EE0000-memory.dmp

Filesize
128KB

Download
memory/428-1144-0x000001BBB1000000-0x000001BBB1100000-memory.dmp

Filesize
1024KB

Download
memory/428-1148-0x000001BBB1F00000-0x000001BBB1F20000-memory.dmp

Filesize
128KB

Download
memory/428-1171-0x000001BBB24E0000-0x000001BBB2500000-memory.dmp

Filesize
128KB

Download
memory/664-183-0x00000000045E0000-0x00000000045E1000-memory.dmp

Filesize
4KB

Download
memory/712-1290-0x0000025B63000000-0x0000025B63100000-memory.dmp

Filesize
1024KB

Download
memory/712-1289-0x0000025B63000000-0x0000025B63100000-memory.dmp

Filesize
1024KB

Download
memory/712-1288-0x0000025B63000000-0x0000025B63100000-memory.dmp

Filesize
1024KB

Download
memory/712-1293-0x0000025B64160000-0x0000025B64180000-memory.dmp

Filesize
128KB

Download
memory/712-1316-0x0000025B64520000-0x0000025B64540000-memory.dmp

Filesize
128KB

Download
memory/712-1303-0x0000025B64120000-0x0000025B64140000-memory.dmp

Filesize
128KB

Download
memory/720-667-0x000002725D960000-0x000002725D980000-memory.dmp

Filesize
128KB

Download
memory/720-674-0x000002725D920000-0x000002725D940000-memory.dmp

Filesize
128KB

Download
memory/720-698-0x000002725DD30000-0x000002725DD50000-memory.dmp

Filesize
128KB

Download
memory/736-966-0x000001A924670000-0x000001A924690000-memory.dmp

Filesize
128KB

Download
memory/736-996-0x000001A924A40000-0x000001A924A60000-memory.dmp

Filesize
128KB

Download
memory/736-971-0x000001A924630000-0x000001A924650000-memory.dmp

Filesize
128KB

Download
memory/736-962-0x000001A923520000-0x000001A923620000-memory.dmp

Filesize
1024KB

Download
memory/736-961-0x000001A923520000-0x000001A923620000-memory.dmp

Filesize
1024KB

Download
memory/836-1442-0x0000000004410000-0x0000000004411000-memory.dmp

Filesize
4KB

Download
memory/904-509-0x0000000004720000-0x0000000004721000-memory.dmp

Filesize
4KB

Download
memory/964-1141-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/1176-960-0x0000000004010000-0x0000000004011000-memory.dmp

Filesize
4KB

Download
memory/1712-357-0x00000000045E0000-0x00000000045E1000-memory.dmp

Filesize
4KB

Download
memory/1868-820-0x00000146ABB90000-0x00000146ABBB0000-memory.dmp

Filesize
128KB

Download
memory/1868-852-0x00000146ABF60000-0x00000146ABF80000-memory.dmp

Filesize
128KB

Download
memory/1868-848-0x00000146ABB50000-0x00000146ABB70000-memory.dmp

Filesize
128KB

Download
memory/2104-120-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2664-813-0x00000000040A0000-0x00000000040A1000-memory.dmp

Filesize
4KB

Download
memory/2912-53-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3020-516-0x0000027E832E0000-0x0000027E83300000-memory.dmp

Filesize
128KB

Download
memory/3020-528-0x0000027E832A0000-0x0000027E832C0000-memory.dmp

Filesize
128KB

Download
memory/3020-538-0x0000027E838C0000-0x0000027E838E0000-memory.dmp

Filesize
128KB

Download
memory/3020-511-0x0000027E82500000-0x0000027E82600000-memory.dmp

Filesize
1024KB

Download
memory/3020-512-0x0000027E82500000-0x0000027E82600000-memory.dmp

Filesize
1024KB

Download
memory/3324-354-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3324-54-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3324-122-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3324-1435-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3720-42-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3720-25-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4144-359-0x00000223B5250000-0x00000223B5350000-memory.dmp

Filesize
1024KB

Download
memory/4144-361-0x00000223B5250000-0x00000223B5350000-memory.dmp

Filesize
1024KB

Download
memory/4144-364-0x00000223B63B0000-0x00000223B63D0000-memory.dmp

Filesize
128KB

Download
memory/4144-376-0x00000223B6370000-0x00000223B6390000-memory.dmp

Filesize
128KB

Download
memory/4144-396-0x00000223B6780000-0x00000223B67A0000-memory.dmp

Filesize
128KB

Download
memory/4344-353-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4364-1446-0x0000015469500000-0x0000015469600000-memory.dmp

Filesize
1024KB

Download
memory/4364-1445-0x0000015469500000-0x0000015469600000-memory.dmp

Filesize
1024KB

Download
memory/4384-659-0x0000000004560000-0x0000000004561000-memory.dmp

Filesize
4KB

Download
memory/4524-35-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4984-200-0x000001AC4E300000-0x000001AC4E320000-memory.dmp

Filesize
128KB

Download
memory/4984-187-0x000001AC4D400000-0x000001AC4D500000-memory.dmp

Filesize
1024KB

Download
memory/4984-186-0x000001AC4D400000-0x000001AC4D500000-memory.dmp

Filesize
1024KB

Download
memory/4984-185-0x000001AC4D400000-0x000001AC4D500000-memory.dmp

Filesize
1024KB

Download
memory/4984-190-0x000001AC4E340000-0x000001AC4E360000-memory.dmp

Filesize
128KB

Download
memory/4984-215-0x000001AC4E920000-0x000001AC4E940000-memory.dmp

Filesize
128KB

Download
memory/5076-1287-0x00000000043E0000-0x00000000043E1000-memory.dmp

Filesize
4KB

Download